Rivarts.A Alert

[Guest]

Received alert this a.m. that this Backdoor/trojan was identified. Removed
it. Came back again 4 hours later with no browser access. Did a google on
it and suggests might be false positive &/or webroot spysweeper related. As
we run enterprise version of spysweeper, checked webroot support who deny
connection. Only found by M$ betas (1&2). Running copies of McAfee and
Webroot do not see. Removed registry entries. Showing up on 80% of pcs
registries in domain.

hklm\system\currentcontrolset\services\mchInjDrv

Legit or false from somewhere ? And why alert today if both M$ betas
installed for a while ?

 

[Jonah]

Received alert this a.m. that this Backdoor/trojan was identified. Removed
it. Came back again 4 hours later with no browser access. Did a google on
it and suggests might be false positive &/or webroot spysweeper related. As
we run enterprise version of spysweeper, checked webroot support who deny
connection. Only found by M$ betas (1&2). Running copies of McAfee and
Webroot do not see. Removed registry entries. Showing up on 80% of pcs
registries in domain.

hklm\system\currentcontrolset\services\mchInjDrv

Legit or false from somewhere ? And why alert today if both M$ betas
installed for a while ?

Had this myself today.

Turned out to be hooks installed by Trojan Hunter Guard to prevent
infection by this trojan, re-installs on reboot when TJ Guard starts up.
False Positive - confirmed by e mail from Mischel Security (TJ Hunter
Writers).

If you don't have Trojan Hunter its possibly another security application.

I wonder if the real Rivarts.A trojan was installed if MSAS Beta or
Defender would actually remove it properly?

Jonah

 

[Bill Sanderson MVP]

You could run a tool that tracks registry changes and probably ID where this
change is coming from--sysinternals regmon is what I have in mind.

I've seen another post about this, besides yours and Jonah's--this looks
likely to be a false positive, but worth investigating further to see where
it is coming from.

 

[Jonah]

You could run a tool that tracks registry changes and probably ID where this
change is coming from--sysinternals regmon is what I have in mind.

I've seen another post about this, besides yours and Jonah's--this looks
likely to be a false positive, but worth investigating further to see where
it is coming from.

Yeah Bill,

I confirmed it was Trojan Hunter in 2 ways in my case.

Using test PC Windows XP SP2 Clean Install with NOD32 AV. All software
fully updated as necessary.

1. I got a hint from Google that TH Guard was the probable cause then
I ran MSAS on the test box without Trojan Hunter Installed - negative
result.

Installed Trojan Hunter, started the TH Guard element, rebooted and
OKed the MSAS change warnings. Ran MSAS Scan again and got a positive
result for Rivarts.A.

Restored via an image to pre Trojan Hunter and rescanned - negative.

2. Copied the results and registry keys detected to Mischell Security
who confirmed that the keys were from Trojan Hunter Guard and tah the
detection was a false positive.

Also triggered by several other security apps - see here

http://forums.spybot.info/showthread.php?t=774

Details from MSAS Detection

Rivarts.A Backdoor more information...
Status: Ignored
Severe threat - Severe-risk items have an extreme potential for harm,
such as a security exploit, and should be removed.

Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv\Enum 0
Root\LEGACY_MCHINJDRV\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv\Enum
Count 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv\Enum
NextInstance 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv Type 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv
ErrorControl 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv Start 4
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv
ImagePath \??\C:\DOCUME~1\Jonah\LOCALS~1\Temp\mc2C.tmp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv
DeleteFlag 1

Apparantly if there is no "command.exe" key the detection is a false
positive and the keys are there for protection purposes

Jonah





Jonah

 

[Bill Sanderson MVP]

Thanks, Jonah--that seems quite clear and conclusive. Microsoft has usually
been pretty quick to fix this kind of issue--often with the next definition
release.
--

 

[Guest]

I reported this on CNET, Castlecops and AVG a couple of days ago.
I would have been more than happy to start a new thread, but the forum will
not let me.
I just get a "flash".

Even with cookie blocking disabled.


So, last MSASW update was 23MAR06, when this started.
I do not have "Trojan Hunter Guard", to the best of my knowledge.
Haven't been able to find it, anyway.
Nearest is "Spyware Blaster".

The question is, if this is the false positive all say it is, when is the
MSASW going to be updated to fix the false reporting so we don't freak out
when the problem is reported?

Maybe I'll get out my "False Positive" banner, drive over 85th to the
Redmond Campus, and hang it on the front of building 8?

Think that would help?

Right.

Any ideas on time frame?

And, who makes "Trojan Hunter Guard"?

 

[Bill Sanderson MVP]

I don't think it is Spyware Blaster--as far as I know, it sticks to setting
killbits on controls--not putting hooks into the registry. I'm quite sure
Microsoft is aware of the issue. I've seen such issues fixed in the next
weekly release more than once--we'll see.

 

[Guest]

Very sorry folks...didn't know that there's an existing thread on Rivarts.A,
and so I've posted a new thread...

I don't use Trojan Hunter guard and Spyware Blaster. The only 2 new
softwares that I last installed were trial versions of Spyware Doc and Spy
Sweeper -- I believe that these might have been the cause because I don't get
this Rivarts.A crap before then. Any similar experience?

Has anyone contacted MS? Hope it's a false positive...now, I'm freaking out
not sure whether I should use my PC for Internet banking transactions...

Please advise....

 

[Guest]

Okay, Bill, since we aren't quite certain which program(s) set this (I've
seen three listed for sure), what is the procedure to remove this update and
go back to the last one?

This is slightly ridiculous.
We have a serious "hit", yet we have on the one hand "false positive", and
on the other a backdoor keylogger.
I can keep removing this, but unless we know FOR SURE we have no idea if we
are safe.

FYI, Spybot, Spyware Doctor, SpywareBlaster, AVG, AdAware pro and AdWatch,
plus several on-line scans show nothing, zero, nada.
I even ran Blacklight to see if I had a rootkit and CWShredder and a current
HiJackThis scan to compare.

Any more comforting words than to wait for the next week's update?

 

[Guest]

Okay.
I re-named this registry entry, with the date in front, left it otherwise
all alone, and ran every scan I own.
It did not re-load.
Then I ran MSASW.
It did not, repeat NOT find the re-named file.

This is a guess.

The MSASW was looking for the entry header, not the contents.
If it was looking for contents, would not one surmise it would have seen the
same supposedly bad content?

All other scans clean.

 

[Bill Sanderson MVP]

Microsoft is aware of this issue, I believe, but I haven't seen a statement
from them.

Do a search of these groups on the Rivarts key--at least one user has done
pretty good research, and decided that without the actual executable, these
keys are harmless-and are the result of innoculation by antispyware, rather
than the genuine threat.
--

 

[Bill Sanderson MVP]

Why should reverting to a set of definitions that don't call this out
provide more comfort?

This is not a new threat, yet none of the competing programs that folks are
trying are finding it in place.

I understand the discomfort, and the best advice I can give is to find a
clear definition of what the real threat should consist of, and search for
those items on your system.

Jonah's messages in this thread contain that information I think--with this
link:

http://forums.spybot.info/showthread.php?t=774

and the indicator that command.exe needs to be in place in addition to the
registry entries.

Personally, I wish that Microsoft would provide more detailed information on
the threats detected, so that this research didn't have to be made via
Google or third-parties. I believe more of that kind of information is on
the way, but I'm not sure it will ever reach the level needed to provide
this kind of assurance.

 

[Guest]

True. Without the command, they don't work.
To me, if I had access to the previous update, and was able to scan and NOT
find it, I'd be more convinced this was a problem with the latest MSASW
update.
While it is comforting Gates and Co know about it, the lack of a response is
a little, as I said, disconcerting.
I was nailed twice, hence the array of ASW and the one AV program that are
run daily, plus frequent trips through System2, dllcache and the registry.


An ability to show myself the past update won't find it would be a little
more comforting to my feeble mind by way of encouraging me it really is a FP.

And, yes, I have read, and read, and read.

Other than having to deal with campus security, I still think the "False
Positive" banner on building 8 would be a hoot.

Once I got across the Redmond city line onto home turf I'd be fine.....

I'll just watch it.

I am, also, very puzzled MSASW did not find the re-named file in the
registry.....

 

[Jonah]

True. Without the command, they don't work.
To me, if I had access to the previous update, and was able to scan and NOT
find it, I'd be more convinced this was a problem with the latest MSASW
update.
While it is comforting Gates and Co know about it, the lack of a response is
a little, as I said, disconcerting.
I was nailed twice, hence the array of ASW and the one AV program that are
run daily, plus frequent trips through System2, dllcache and the registry.


An ability to show myself the past update won't find it would be a little
more comforting to my feeble mind by way of encouraging me it really is a FP.

And, yes, I have read, and read, and read.

Other than having to deal with campus security, I still think the "False
Positive" banner on building 8 would be a hoot.

Once I got across the Redmond city line onto home turf I'd be fine.....

I'll just watch it.

I am, also, very puzzled MSASW did not find the re-named file in the
registry.....

Hi Curmudgeon,

Trojan Hunter is made by Mischel Security in Sweden written by a guy
called Magnus. I got confirmation that this was a false positive from
the man himself not from some minion in an Indian outsource centre.

Defender is a Beta, its not going to be perfect, nothing ever is this
is just another problem to fix before it goes out as the finished
version

The initial clue to this came from a guy called Bitman who knows
exactly what he is doing I have seen a lot of his stuff about, I just
followed up to confirm the false positive.

 

[Bill Sanderson MVP]

Mike Treit has responded in several Rivarts.A related threads--in this
group, and in Announcements, today.

--